BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • Linux
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Akamai WAF
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  • Overview:
  • Requirements:
  • Preparing distribution point to push the packages:
  • Create a Group Policy Object to deploy the package:
  • Test Deployment via GPO:
  1. 12_Deployment / Log Forwarding
  2. Log Forwarding (on-prem) - How To
  3. MicroAgent - Winlogbeat & Sysmon

Deploy Micro-Agent/Sysmon via GPO

Version 1.4

Overview:

Active Directory’s Group Policy Objects can be used to push/deploy Micro-Agent and Sysmon on to end-machines (Windows computers) that are part of AD. This guide will demonstrate the necessary steps to:

· Prepare a distribution point in Active Directory (AD) for the installation package

· Prepare the deployment scripts as per environment

· Create a Group Policy Object to deploy the package & link the GPO to the appropriate Organizational Unit(s)

· Force a Group Policy update on the client computer to test the deployment

Requirements:

Following requirements should be fulfilled before using this document:

· Existing Active Directory infrastructure with defined Organizational Units (OU’s)

· End-machines (windows computers) should be part of your domain, have connectivity for receiving Group Policy updates

Document was prepared using the following Azure lab environment:

· Domain Controller: Microsoft Windows Server 2016

· End-Machines: Microsoft Windows 10 64bit

Technical Terms used interchangeably throughout this document:

· Micro-Agent: Winlogbeat

· Sysmon: Sysmon

Note: There may be minor variation in the screens and steps mentioned, if you are using different versions of Windows, but the process is generally the same.

Preparing distribution point to push the packages:

1. Copy the provided Micro-Agent package on to the Active Directory machine.

2. On Active Directory, navigate to the location where the Micro-Agent package was copied and create a read only share that can be accessible by all the end-machines.

3. Follow the below steps, to create a shared folder (distribution point) with read only access:

a. Right click and open the properties window of “Micro-Agent” folder, change to ‘Sharing’ tab and click on ‘Advanced Sharing’.

b. Within the ‘Advanced Sharing’ window, check the Option “Share this Folder” and provide the share name -> click on ‘Permissions’ underneath the comments section which opens up a new window for setting permissions for the share, set the access permission to “READ ONLY” for Everyone as shown below and apply the changes.

c. This share should be accessible by all end users via the share path like “\\<AD-Hostname>\Micro-Agent\” with Read-Only access.

Create a Group Policy Object to deploy the package:

This section details the process on how to configure Group Policy Object (GPO) and Scheduled Task required for pushing/deploying Micro-Agent/Sysmon package.

· Open ‘Group Policy Management’ console from a machine that has access to Active Directory.

1. {Windows Key} + R to open the Run dialog

2. Type “gpmc.msc” in the “Open” field

3. Click the “Ok” button

· In the (Group Policy Management console screen), select the OU you would like to link the new GPO to and create a new GPO while linking it. In our example we will link the GPO to the Domain level.

1. Expand the Forest

2. Expand the Domains OU

3. Right click on the “<Domain Name>”

4. Click on the “Create a GPO in this domain, and Link it here…” menu item.

· In the (New GPO Screen), name the GPO. This case we will be using (C)_Win_All_SysMonDeployment. Which stands for (Computer based GPO) / Windows Systems / All(Workstations and Servers) / Description of the GPO (SysMonDeployment).

1. Type in “(C)_Win_All_SysMonDeployement” in the Name field

2. Click on the “Ok” button

· In the (Group Policy Management console screen), select the newly created GPO and updated the details to disable the “User configuration settings”

1. Click on the newly created Group Policy Object

2. Click the “Details” tab in the right window pain

3. Click the “GPO Status” drop down list

4. Select the “User configuration settings disabled” menu item

5. Click the “Ok” button

· In the (Group Policy Management console screen), select the newly created GPO and edit the policy settings

1. Right click on the newly created Group Policy Object

2. Click on “Edit” in the menu list

· In the ((C)_Win_All_SysMonDeployement) screen, create a new Scheduled Task

1. Click the “Computer Configuration” menu item

2. Click the “Preferences” menu item

3. Click the “Control Panel Settings” menu item

4. Right click on the “Scheduled Tasks” menu item

5. Click on the “New” menu item

6. Click on the “Scheduled Task (At least Windows 7)”

· In the (New Task (At least Windows 7) Properties) screen, update the General settings for the new Task.

1. Select “Replace” in the “Action” drop down list

2. Type a name for this Task in the “Name” field. In this case we will type “SysMonDeployment”

3. Select the “Change User or Group…” button

4. Type “System” in the “Enter the object name to select” field

5. Press the “Check Names” button

6. Click the “Ok” button

7. Check the “Run whether user is logged on or not” radio button

8. Check the “Run with highest privileges” check box

9. Check the “Hidden” check box

10. Select “Windows® 7, Windows Server ™ 2008R2” in the “Configure for” drop down list

11. Select the “Triggers” Tab

· In the (New Task (At least Windows 7) Properties) screen, update the Triggers settings for the new Task.

1. Click on the “New…” button

2. Select “At task creation/modification” in the “Begin the task” drop down list

3. Check the “Stop task if it runs longer than” and Select “1 hour” from the drop down list

4. Check the “Activate” check box. Leave the default item, which should be the current time

5. Check the “Enabled” check box

6. Click the “Ok” button

7. Select the “Actions” tab

· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the new Task.

1. Click on the “New…” button

2. Select “Start a program” in the “Action” drop down list

3. Type the below path and program name in the “Program/Script” field. For this instance we are running

i. C:\Windows\System32\cmd.exe

4. Type the below arguments in the “Add arguments(optional)” field. Note the path below is the path to your Network Share where the Deploy script is located. For this instance, it’s a UNC on NYCWTSTADC001.

5. Click the “Ok” button

· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 2nd Task.

1. Click on the “New…” button

2. Select “Start a program” in the “Action” drop down list

3. Type the below path and program name in the “Program/Script” field. For this instance, we are running

i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

4. Type the below arguments in the “Add arguments(optional)” field. Note: We are creating a log file and identifying every time the job is ran.

i. -c $('Processed Job {0} as of {1}' -f 'SysMonDeployment', $(Get-Date)) | Out-File -FilePath $('{0}\{1}_GPO_Status.log' -f $Env:TEMP, '(C)_Win_All_SysMonDeployement') -Force

ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier

iii. Note: (C)_Win_All_SysMonDeployement is the name of the GPO we defined earlier. Make sure this is the name of your GPO so the logging make sense.

5. Click the “Ok” button

· In the (New Task (At least Windows 7) Properties) screen, update the Actions settings for the 3rd and final Task.

1. Click on the “New…” button

2. Select “Start a program” in the “Action” drop down list

3. Type the below path and program name in the “Program/Script” field. For this instance, we are running

i. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

4. Type the below arguments in the “Add arguments(optional)” field. Note: We are removing the Scheduled job once it is triggered. This way when GPO runs again it will kick off the same script.

i. -c start -FilePath 'schtasks.exe' -ArgumentList '/Delete /TN "SysMonDeployment" /F

ii. Note: SysMonDeployment is the name of the Scheduled Job we defined earlier. If you change the name of the Scheduled job please change it here or the task will not be deleted.

5. Click the “Ok” button

6. Select the “Settings” tab

· In the (New Task (At least Windows 7) Properties) screen, update the Settings configuration.

1. Check the “Allow task to be run on demand” check box

2. Check the “Run task as soon as possible after a scheduled start is missed” check box

3. Check the “Stop the task it if runs longer than” check box and select “1 hour” from the drop down list

4. Check the “If the running task does not end when requested, force it to stop” check box

5. Select “Do not start a new instance” from the “If the task is already running, then the following rule applies” drop down list

6. Click on the “Ok” button

Test Deployment via GPO:

Manually push and test the GPO on one of the end-machine which should eventually deploy Micro-Agent Sysmon as per the schedule task configured earlier.

1. Logon to a specific end-machine, launch a command prompt.

2. Run “gpupdate /force” to force a Group Policy update.

3. Successful execution of “gpupdate /force” command should pull the respective group policies from the AD, and the deployment tasks for Sysmon should be available in the Task Scheduler on end-machine.

4. Upon successful execution of respective tasks, you should see following services ‘sysmon’ (or) ‘sysmon64’ installed and actively running on the end-machine.

PreviousMicroAgent - Winlogbeat & SysmonNextMicroAgent manual installation

Last updated 2 months ago

i. /c

\\NYCWTSTADC001\deployments\Micro-Agent\Deploy_Sysmon.bat